8.0.2

8.0.2

Security fundamentals

• Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors. See PR #2778 for details.

Bug fixes

• IdentityModel now allows the JWT payload to be an empty string. See issue #2656 for details.
• Cache UseRfcDefinitionOfEpkAndKid switch. See PR #2747 for details.
• Method was named DoNotFailOnMissingTid in 7x and DontFailOnMissingTid in 8x, adding the method for back compat. See issue #2750 for details.
• Metadata is now updated on a background thread. See #2780 for details.
• JsonWebKeySet stores the original string it was created with. See PR #2755 for details.
• Restore AOT compatibility. See #2711.
• Fix OpenIdConnect parsing bug. See #2772 for details.
• Remove the lock on creating a SignatureProvider. See #2788 for details.

Fundamentals

• Test clean up #2742.
• Use only FxCop in .NET framework targets #2693.
• Add rule to add file headers automatically #2748.
• Code analysis updates #2746.
• Include README packages in NuGet #2752.
• Update projects inside WilsonUnix solution #2768.
• Code style enforced in build #2603.
• CodeQL update #2767.
• Update build pipeline to new one release build format #2777.
• Update GitHub actions to 9.0.100-preview.7.24407.12 and add <NoWarn>$(NoWarn);SYSLIB0057</NoWarn> due to breaking changes in preview7. #2786.

Work relating to #2711

• #2725, #2729, #2753, #2758, #2759, #2757, #2759, #2764, #2759, #2771, #2759, and #2779.

What's Changed

• Remove old 6x tests used that are not needed anymore by @brentschmaltz in #2742
• Only use fxcop in netfw by @keegan-caruso in #2693
• Allow Jwt payload to be the empty string. by @brentschmaltz in #2745
• Add rule to add file headers automatically. by @pmaytak in #2748
• Remove Delegate Checks in Multiple Validators and Prevents Null Setting of Delegates by @FuPingFranco in #2725
• Fix CodeQL by @pmaytak in #2746
• Cache UseRfcDefinitionOfEpkAndKid switch. by @pmaytak in #2747
• Decrypt token: Remove exceptions + use new ValidationParameters by @iNinja in #2729
• Include README packages in NuGet by @localden in #2752
• Remove internals for new work. by @brentschmaltz in #2753
• Add property named differently in 7x. by @brentschmaltz in #2756
• Remove SlimLock when updating metadata. by @brentschmaltz in #2751
• Revert "Remove SlimLock when updating metadata. (#2751)" by @keegan-caruso in #2762
• Remove Delegate Checks Audience Validator and Prevents Null Setting of Delegate by @FuPingFranco in #2758
• Re-factor Issuer Validator to Follow New Validation Model by @FuPingFranco in #2759
• Update projects inside WilsonUnix solution by @iNinja in #2768
• JsonWebKeySet stores the String it was created with by @westin-m in #2755
• Signature Validation: Remove exceptions by @iNinja in #2757
• Validate IssuerSigningKey: Refactor to use ValidationParameters over TVP by @iNinja in #2764
• Enable EnforceCodeStyleInBuild and fix findings by @keegan-caruso in #2763
• Restore AOT compatibility for IdentityModel by @iNinja in #2773
• try to fix codeQL by @jennyf19 in #2767
• Fix Open Id connect parsing bug. by @keegan-caruso in #2776
• ValidateTokenAsync: New code path by @iNinja in #2771
• Add lock when configuration is null by @brentschmaltz in #2780
• Add BannedApiAnalyzers to prevent use of ClaimsIdentity constructors by @pmaytak in #2778
• Adding benchmark for new ValidateTokenAsync model vs old by @FuPingFranco in #2779
• updates for one build by @jennyf19 in #2777
• update to 9.0.100-preview.7.24407.12 by @jennyf19 in #2786
• Remove lock when creating a SignatureProvider by @brentschmaltz in #2788

New Contributors

• @localden made their first contribution in #2752

Full Changelog: 8.0.1...8.0.2

8.0.1

8.0.1

Bug fixes

• IdentityModel now resolves the public key for ECDH. See issue #1951 for details.
• Fix a race condition where SignatureProvider was disposed but still able to leverage the cache and SignatureProvider now disposes when compacting. See PR #2682 for details.
• For JWE, JsonWebTokenHandler.ValidateJWEAsync now considers the decrypt keys in the configuration. See issue #2737 for details.

Performance improvement

• AppContext.TryGetSwitch statically caches internally but takes out a lock.
  .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.

7.7.1

7.7.1

Bug Fix

• Re-add JsonSerializerPrimitives.TryAllStringClaimsAsDateTime which was removed as it is in an internal class, but due to InternalsVisibleTo can lead to a MissingMethodException if IdentityModel versions are not aligned. See PR #2734 for details.

7.7.0

7.7.0

CVE package updates

CVE-2024-30105

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Opt in to the new behavior via an AppContext switch. See PR #2715 for details.

Performance improvement

• AppContext.TryGetSwitch statically caches internally but takes out a lock.
  .NET almost always caches these values. They're not expected to change while the process is running unlike normal config. IdentityModel now caches the value. See issue #2722 for details.

6.36.0

6.36.0

CVE package updates

CVE-2024-30105

New feature

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Opt in to the new behavior via an AppContext switch. See PR #2710 for details.

Fundamentals

• Update signing info for NuGet packages. See PR #2696 for details.

8.0.0

8.0.0

CVE package updates

CVE-2024-30105

• See PR #2707 for details.

Breaking change:

Full list of breaking changes.

• A derived ClaimsIdentity where claim retrieval is case-sensitive. The current ClaimsIdentity, in .NET, retrieves claims in a case-insensitive manner which is different than querying the underlying SecurityToken. The new CaseSensitiveClaimsIdentity class provides consistent retrieval logic with SecurityToken. Fallback to previous behavior via an AppContext switch. See PR #2700 for details.
• Make CollectionUtilities.IsNullOrEmpty internal. If your code used this method, you now have to provide your own implementation. See issues #2651 and #1722 for details.

Overall improvements to the validation in IdentityModel:

• See design proposal #2711 for details, all work internal for now. Please comment in the GitHub issue and provide feedback there.

New Features:

• Allow users to provide a Stream to Write in OIDCConfigurationSerializer. See PR #2698 for details.

Bug fixes:

• Remove dependency on AadIssuerValidator.GetTenantIdFromToken in ValidateIssuerSigningKey, to only consider the tid. An AppContext switch enables fallbacking to the previous behavior, which should not be needed. See PR #2680 for details.
• Continuation of #2637 and #2646. Add the metadata authorization_details_types_supported from RFC 9396 - OAuth 2.0 Rich Authorization Requests to OpenIdConnectConfiguration.
• The class OpenIdConnectPrompt now has the create prompt from Initiating User Registration via OpenID Connect 1.0
  
• The following grant types are now included in OpenIdConnectGrantTypes: urn:ietf:params:oauth:grant-type:saml2-bearer from RFC 7522 - Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:jwt-bearer from RFC 7523 - JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants, urn:ietf:params:oauth:grant-type:device_code from RFC 8628 - OAuth 2.0 Device Authorization Grant, urn:ietf:params:oauth:grant-type:token-exchange from RFC 8693 - OAuth 2.0 Token Exchange, urn:openid:params:grant-type:ciba from OpenID Connect Client-Initiated Backchannel Authentication Flow - Core 1.0
• Serialize byte arrays as base64 strings in Json tokens. This was the behavior in 6.x releases. See issue #2524 for details.
• When we added virtuals to abstract methods that threw in the base class, we then called those methods that were implemented in user derived classes. The user code would fault with a NotImplementedException. Now a message is returned that the user can act on to fix the issue. See issue #1970.

Fundamentals

• Remove code that was used in target frameworks that got removed. See PR #2673 for details.
• Rename local variables for better readability. See PR #2674 for details.
• Refactor XML comments for improved clarity. See PR #2676, #2677, #2678, #2689 and #2703 for details.
• Fix flaky test. See issue #2683 for details.
• Made ConfigurationManager.GetConfigurationAsync a virtual method. See PR #2661

8.0.0-preview1

8.0.0-preview1

Breaking changes:

• IdentityModel 8x no longer supports .net461, which has reached end of life and is no longer supported. See issue #2544 for details.
• Two IdentityModel extension dlls Microsoft.IdentityModel.KeyVaultExtensions and Microsoft.IdentityModel.ManagedKeyVaultSecurityKey were using ADAL, which is no longer supported . The affected packages have been removed, as the replacement is to use Microsoft.Identity.Web. See issue #2454 for details.
• AppContext.SetSwitch which were included in IdentityModel 7x, have been removed and are the default in IdentityModel 8x. The result is a more performant IdentityModel by default. See issue #2629 and https://aka.ms/IdentityModel8x for details.

7.6.2

7.6.2

Bug Fix:

• Revert reduced allocations in AadIssuerValidator by not using string.Replace where appropriate due to an index out-of-range error.

7.6.1

7.6.1

New Features:

• Add missing metadata parameters to OpenIdConnectConfiguration. See issue #2498 for details.

Bug Fixes:

• Fix over-reporting of IDX14100. See issue #2058 and PR #2618 for details.
• JwtRegisteredClaimNames now contains previously missing Standard OpenIdConnect claims. See issue #1598 for details.

Performance Improvements:

• Reduced allocations in AadIssuerValidator by not using string.Replace where appropriate. See issue #2595 and PR #2597 for more details.
• No longer for every string claim, calling DateTime.TryParse on each value, whether it is expected to be a DateTime or not. See issue #2615 for details.

7.6.0

7.6.0

New Features:

• Update JsonWebToken - extract and expose the method that reads the header/payload property values from the reader so it can be overridden in children classes to add any extra own logic. See issues #2581, #2583, and #2495 for details.

Bug Fixes:

• JWE header algorithm is now compliant to IANA document. See issue #2089 for details.

Performance Improvements:

• Reduce the number of internal array allocations that need to happen for each claim set, see PR #2596.

Fundamentals:

• Add an AOT compatibility check on each PR to ensure only AOT compatible code is checked-in. See PR #2598.
• Update perl scrip for OneBranch build. See PR #2602.
• Add langversion 12 to benchmark tests. See PR #2601.
• Removed unused build.cmd file. See PR #2605.
• Create CodeQL exclusions file. See PR #2609.
• Fix variable usage in AOT script. See PR #2610.
• Move Microsoft.IdentityModel.Tokens delegates to a new file. See PR #2606